summaryrefslogtreecommitdiff
path: root/lang/php5
diff options
context:
space:
mode:
authortron <tron>2007-05-06 13:08:33 +0000
committertron <tron>2007-05-06 13:08:33 +0000
commite95c9c04e4d9aa0f4861225fb62fd8dfdac3b8c4 (patch)
tree7cc650772901d7f5afe92f49a11c34624d7817ca /lang/php5
parent6910bdac9ba3aa3e1d6d0f4a846105fe329eea4e (diff)
downloadpkgsrc-e95c9c04e4d9aa0f4861225fb62fd8dfdac3b8c4.tar.gz
Add security fix for CVE-2007-1001 to "php4-gd" and "php5-gd" packages.
Bump package revision.
Diffstat (limited to 'lang/php5')
-rw-r--r--lang/php5/distinfo3
-rw-r--r--lang/php5/patches/patch-ac40
2 files changed, 42 insertions, 1 deletions
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index 86b912dd836..e76202229d4 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.38 2007/04/29 12:30:18 taca Exp $
+$NetBSD: distinfo,v 1.39 2007/05/06 13:08:33 tron Exp $
SHA1 (php-5.2.1/php-5.2.1.tar.bz2) = 978ce7cde3d988d9aa672e32e46f815a8b25baa0
RMD160 (php-5.2.1/php-5.2.1.tar.bz2) = f75078e0e43cb9c64e6d0a8d51a2ebd23cc9131d
Size (php-5.2.1/php-5.2.1.tar.bz2) = 7163383 bytes
SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
SHA1 (patch-ab) = e4131ba531bc7afdf478802dac33a47fa2f87b88
+SHA1 (patch-ac) = 0e260cfdbc247f2960f73af79324529efadcb25f
SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
diff --git a/lang/php5/patches/patch-ac b/lang/php5/patches/patch-ac
new file mode 100644
index 00000000000..39d6a620db1
--- /dev/null
+++ b/lang/php5/patches/patch-ac
@@ -0,0 +1,40 @@
+$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $
+
+Patch for CVE-2007-1001, taken from here:
+
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch
+
+--- ext/gd/libgd/wbmp.c.orig 2003-12-31 01:01:44.000000000 +0000
++++ ext/gd/libgd/wbmp.c 2007-05-06 13:41:13.000000000 +0100
+@@ -116,6 +116,15 @@
+ if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
+ return (NULL);
+
++ if (overflow2(sizeof (int), width)) {
++ gdFree(wbmp);
++ return NULL;
++ }
++ if (overflow2(sizeof (int) * width, height)) {
++ gdFree(wbmp);
++ return NULL;
++ }
++
+ if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
+ {
+ gdFree (wbmp);
+@@ -176,7 +185,14 @@
+ printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
+ #endif
+
+- if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
++ if (overflow2(sizeof (int), wbmp->width) ||
++ overflow2(sizeof (int) * wbmp->width, wbmp->height))
++ {
++ gdFree(wbmp);
++ return (-1);
++ }
++
++ if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
+ {
+ gdFree (wbmp);
+ return (-1);